| 1 | First off, I would not recommend using this in a type of enviroment that |
|---|
| 2 | security is a really big concern. I am *NOT* saying that you shouldn't be |
|---|
| 3 | concerned about it, but, until the system is thoughly tested. I would not |
|---|
| 4 | recommend it. |
|---|
| 5 | |
|---|
| 6 | Because of the current methods that the email system works. It is required |
|---|
| 7 | that the users password is in the sessions table. IMAP needs the password |
|---|
| 8 | to verify the user. This is one of the main reasons for the stalesessions |
|---|
| 9 | program. I do not like keeping passwords in any medium that is not encryped. |
|---|
| 10 | |
|---|
| 11 | The email system stores its file attachments in a temp directory. For right |
|---|
| 12 | now, you need to watch this directory because it can fill up very quickly. |
|---|
| 13 | If a user does not finsh composing the message (going else where in the program, |
|---|
| 14 | internet connection dieing, browser crash, etc) the file will sit there until |
|---|
| 15 | it is deleted. There will be a simple cron program to go through and clean |
|---|
| 16 | things up. |
|---|
| 17 | |
|---|
| 18 | The files/users and files/groups directories need to be writable by the UID |
|---|
| 19 | that php runs under (nobody or your apache UID). This is a security risk |
|---|
| 20 | if 3rd parties can place php or cgi scripts on your machine, because they |
|---|
| 21 | will have full read/write access to those directories. |
|---|
| 22 | You should also consider moving the files directory outside of the |
|---|
| 23 | tree your webserver has access to to prevent websurfers from directly accessing |
|---|
| 24 | the files, or add in .htaccess files to restrict access to that tree. |
|---|
| 25 | |
|---|
| 26 | Besides this, there is nothing else that I am aware of. Let me know if you |
|---|
| 27 | find anything. |
|---|
